Malware2ATT&CK: A sophisticated model for mapping malware to ATT&CK techniques

Abstract

MITER Corporation presents the ATT&CK Matrix, which maps malware behavior to different tactics, techniques, and procedures (TTPs) providing a comprehensive view to clarify the inner mechanism of malware more accurately. However, manual mapping methods are time-consuming, while rule-based feature-based mapping methods often under- or misreport many attacks. Inspired by the successful application of image multi-label classification techniques, we propose a method called Malware2ATT&CK to automatically map malware to ATT&CK techniques. The method applies pre-trained models to extract features from the two pieces of information — the static analysis information of assembly instruction and API calls from malware. The malicious techniques are identified by a multi-label classifier based on the graph neural network and knowledge graph. In the experiments over two test sets, Malware2ATT&CK shows excellent performance achieving an average F1 score of 83.6% in the technology mapping task. Further evaluation indicates that the high accuracy of the prediction is due to our ability to accurately capture the correlation between behaviors.